Hi everyone !

I’m a newbie to Mikrotik and I have a hAP ac² as my main router. My router runs RouterOS 7.

I have connected 2 WAN → 1 from a fiber line and 1 from an LTE line and the failover works well. I don’t need load balancing.

But I have a question. I need to route a specific IP to the WAN 2 but I’m a little bit confused with some explanations.

Can anyone helps me with the configuration to route the IP to the WAN 2 (LTE line) ?

Thanks for your help !

PS : I’m apologize for my poor English, I’m French

Bonjour …
Puis je vous aider…
Mais oui,
Parfait.

Alors.

The easiest way to ‘force’ users out a specific WAN is to use a table, route, route rule. The complex way is via mangling.
a. if you need to force entire subnets, the easy way works well.
b. if you need to force a small number of users, the easy way works well
c. if you need to force large numbers of users, either from one subnet but not the entire subnet or many users across different subnets, then mangling is required.

I will assume b, fits your requirements…

create table.
/routing table add fib name=useWAN2

add route
add dst address=0.0.0.0/0 gwy=ISP2 gateway routing-table=useWAN2

add routing rule
/routing rule add src-address=IP_user1 action=lookup table=useWAN2
/routing rule add src-address=IP_user2 action=lookup table=useWAN2
/routing rule add src-address=IP_userX action=lookup table=useWAN2

Note1: If you want the users NEVER to be able to fall back to WAN1 if WAN2 is not available then change action.
action=lookup-only-in-table

Note2: If your LAN has multiple subnets and those specific users need to reach the other subnet then you will have to add additional routing rules to ensure this traffic doesnt get force out WAN2.
ex. lets say user2, on subnetA needs to reach a server on subnetB. Order counts so ensure the new rule exists before the force out WAN rule!!!

Two examples of solutions…general applies to all users that may fall under force route…
/routing rules
add dst-address=IPofServerB action=lookup-only-in-table table=main { anyone heading to that IP will use table main }
add src-address=IP_user1 action=lookup table=useWAN2
add src-address=IP_user2 action=lookup table=useWAN2
add src-address=IP_userX action=lookup table=useWAN2

If you wanted to pinpoint user 2
/routing rules
add dst-address=IPofServerB src-address=IP_user2 action=lookup-only-in-table table=main { only user2 is being freed from being forced out WAN2 and allowed to access ServerB }
add src-address=IP_user1 action=lookup table=useWAN2
add src-address=IP_user2 action=lookup table=useWAN2
add src-address=IP_userX action=lookup table=useWAN2

Bonjour Anav !

Merci de ton aide ! Ça fonctionne super bien, et j’ai enfin ce que je voulais !

Thanks a lot for your help ! It works as I wish !

Your reply is so cleary, I bookmarked it if I need it again.

Have a nice day

@anav hi after a long time i tried your solution but i have a problem. i cannot see my NAS that goes through WAN2 if i connect remotely through VPN. when on LAN everything works ok.
P.S. i put my NAS to go through WAN2

Very unhelpful post LOL
You need to at least post your config
/export file=anynameyouwish (minus router serial#, any public WANIP information, keys )

2025-10-28 23:05:28 by RouterOS 7.20

/interface bridge
add name=bridge1 port-cost-mode=short
/interface ethernet
set [ find default-name=ether1 ] name="ether1 - Starlink"
set [ find default-name=ether2 ] name="ether2 - LHG"
set [ find default-name=ether3 ] name="ether3 - crs328 B"
set [ find default-name=ether4 ] name="ether4 - crs328 A"
set [ find default-name=ether5 ] name="ether5 - crs328 C"
set [ find default-name=ether6 ] name="ether6 - Synology 1"
set [ find default-name=ether7 ] name="ether7 - Synology 2"
set [ find default-name=ether9 ] name="ether9 - TpLink"
set [ find default-name=ether10 ] name="ether10 - WD"
set [ find default-name=ether11 ] name="ether11 - server"
set [ find default-name=ether12 ] name="ether12 - server"
set [ find default-name=ether13 ] name="ether13 - DVR"
/interface vlan
add interface=bridge1 name="vlan100 Guests" vlan-id=100
/interface bonding
add mode=802.3ad name="bonding - Synology" slaves=
"ether6 - Synology 1,ether7 - Synology 2" transmit-hash-policy=
layer-3-and-4
/interface lte apn
set [ find default=yes ] ip-type=ipv4 use-network-apn=no
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=Lan ranges=10.1.1.100-10.1.1.199
add name=L2TP ranges=10.2.1.20-10.2.1.50
add name=Guest ranges=192.168.10.2-192.168.10.254
/ip dhcp-server
add address-pool=Lan interface=bridge1 lease-time=1d name="dhcp Lan"
add address-pool=Guest interface="vlan100 Guests" name="dhcp Guests"
/port
set 0 name=serial0
set 1 name=serial1
/ppp profile
add dns-server=1.1.1.1 local-address=10.2.1.1 name=L2TP remote-address=L2TP
use-ipv6=no
/routing table
add disabled=no fib name=useWAN2
/zerotier
set zt1 disabled=no disabled=no identity="111111111111"
/zerotier interface
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=
zt1 name=zerotier1 network=xxxxxxx
add allow-default=no allow-global=no allow-managed=yes disabled=no instance=
zt1 name=zerotier2 network=xxxxxxxxxx
/interface bridge port
add bridge=bridge1 ingress-filtering=no interface="ether3 - crs328 B"
internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface="ether4 - crs328 A"
internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface="ether5 - crs328 C"
internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface=ether8 internal-path-cost=
10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface="ether9 - TpLink"
internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface="ether10 - WD"
internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface="ether11 - server"
internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface="ether12 - server"
internal-path-cost=10 path-cost=10
add bridge=bridge1 ingress-filtering=no interface="ether13 - DVR"
internal-path-cost=10 path-cost=10
add bridge=bridge1 interface="bonding - Synology"
/interface l2tp-server server
set default-profile=L2TP enabled=yes ipsec-secret="xxxxxxxx"
use-ipsec=yes
/ip address
add address=10.1.1.248/24 interface=bridge1 network=10.1.1.0
add address=192.168.10.1/24 interface="vlan100 Guests" network=192.168.10.0
/ip cloud
set ddns-enabled=yes ddns-update-interval=1m
/ip dhcp-client
add default-route-tables=main interface="ether1 - Starlink" use-peer-dns=no
add default-route-distance=2 default-route-tables=useWAN2 interface=
"ether2 - LHG" use-peer-dns=no
/ip dhcp-server lease
add address=10.1.1.163 comment=Skotadis mac-address=74:46:A0:C4:74:E5 server=
"dhcp Lan"
add address=10.1.1.89 comment=Pandora mac-address=9C:53:33:6A:5C:41 server=
"dhcp Lan"
add address=10.1.1.80 mac-address=2C:8D:B1:EF:C7:A6 server="dhcp Lan"
/ip dhcp-server network
add address=10.1.1.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=10.1.1.248
add address=192.168.10.0/24 gateway=192.168.10.1
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=1.1.1.1,8.8.8.8
/ip firewall address-list

/ip firewall filter
add action=drop chain=forward dst-address=10.1.1.0/24 src-address=
192.168.10.0/24
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="Port scanners to list "
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan"
protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp
tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp
tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=
tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp
tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp
tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners"
src-address-list="port scanners"
add action=fasttrack-connection chain=forward connection-state=established
disabled=yes hw-offload=yes
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward comment="Allow Only access From My Country"
disabled=yes in-interface="ether1 - Starlink" src-address-list=!GR
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 - Starlink"
add action=masquerade chain=srcnat out-interface="ether2 - LHG"
add action=dst-nat chain=dstnat comment="3CX Presence and Provisioning HTTPS"
dst-port=5011 protocol=tcp src-address=!10.1.1.0/24 to-addresses=
10.1.1.253 to-ports=5011
add action=dst-nat chain=dstnat dst-port=5001 protocol=tcp src-address=
!10.1.1.0/24 to-addresses=10.1.1.253 to-ports=5001
add action=dst-nat chain=dstnat comment="3CX SIP UDP" dst-port=5060 protocol=
udp src-address=!10.1.1.0/24 to-addresses=10.1.1.253 to-ports=5060
add action=dst-nat chain=dstnat dst-port=5060 protocol=tcp src-address=
!10.1.1.0/24 to-addresses=10.1.1.253 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX SIP TLS" dst-port=5061 protocol=
tcp src-address=!10.1.1.0/24 to-addresses=10.1.1.253 to-ports=5061
add action=dst-nat chain=dstnat comment="3CX Media UDP" dst-port=9000-10999
protocol=udp src-address=!10.1.1.0/24 to-addresses=10.1.1.253 to-ports=
9000-10999
add action=dst-nat chain=dstnat comment="3CX Tunnel TCP" dst-port=5090
protocol=tcp src-address=!10.1.1.0/24 to-addresses=10.1.1.253 to-ports=
5090
add action=dst-nat chain=dstnat comment="3CX Tunnel UDP" dst-port=5090
protocol=udp src-address=!10.1.1.0/24 to-addresses=10.1.1.253 to-ports=
5090
add action=dst-nat chain=dstnat comment=Alphasoft dst-port=8080 protocol=tcp
src-address=!10.1.1.0/24 to-addresses=10.1.1.150 to-ports=8080
add action=dst-nat chain=dstnat dst-port=8123 protocol=tcp src-address=
!10.1.1.0/24 to-addresses=10.1.1.150 to-ports=8123
add action=dst-nat chain=dstnat dst-port=8333 protocol=tcp src-address=
!10.1.1.0/24 to-addresses=10.1.1.150 to-ports=8333
add action=dst-nat chain=dstnat comment=Ubiquity dst-port=8443 protocol=tcp
src-address=!10.1.1.0/24 to-addresses=10.1.1.115 to-ports=8443
add action=dst-nat chain=dstnat comment=iDrac dst-port=10001 protocol=tcp
src-address=!10.1.1.0/24 to-addresses=10.1.1.250 to-ports=443
add action=dst-nat chain=dstnat comment="Synology Drive" dst-port=6690
protocol=tcp src-address=!10.1.1.0/24 to-addresses=10.1.1.146 to-ports=
6690
add action=masquerade chain=srcnat comment=Hairpin dst-address=10.1.1.0/24
protocol=tcp src-address=10.1.1.0/24
add action=dst-nat chain=dstnat dst-address=!10.1.1.248 dst-address-type=
local dst-port=5001,5090 protocol=tcp to-addresses=10.1.1.253
add action=dst-nat chain=dstnat dst-port=5985 protocol=tcp src-address=
!10.1.1.0/24 to-addresses=10.1.1.115 to-ports=5985
add action=dst-nat chain=dstnat comment="Synology ActiveBackupForBusiness"
dst-port=5510 protocol=tcp src-address=!10.1.1.0/24 to-addresses=
10.1.1.146 to-ports=5510
add action=dst-nat chain=dstnat comment="Synology c2 Identity" dst-port=7712
protocol=tcp src-address=!10.1.1.0/24 to-addresses=10.1.1.146 to-ports=
7712
add action=dst-nat chain=dstnat comment="Synology drive" dst-port=6690
protocol=tcp src-address=!10.1.1.0/24 to-addresses=10.1.1.146 to-ports=
6690
/ip firewall service-port
set sip disabled=yes
/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 dpd-interval=2m
dpd-maximum-failures=5
/ip service
set ftp disabled=yes
set ssh disabled=yes
set telnet disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ipv6 firewall address-list

/ppp secret
add name=xxxxxxxx password="xxxxxxxx" profile=L2TP service=l2tp
add name=xxxxxxxx password="xxxxxxxx" profile=L2TP service=l2tp
add name=xxxxxxxx password="xxxxxxxx" profile=L2TP service=l2tp
add disabled=yes name=xxxxxxxx password="xxxxxxxx" profile=
L2TP
add disabled=yes name=xxxxxxxx password="xxxxxxxx" profile=L2TP
service=l2tp
add name=xxxxxxxx password="xxxxxxxx" profile=L2TP service=l2tp
add disabled=yes name=xxxxxxxx password="xxxxxxxx" profile=L2TP
service=l2tp
add disabled=yes name=xxxxxxxx password="xxxxxxxx" profile=L2TP
service=l2tp
add name=xxxxxxxx password="xxxxxxxx" profile=L2TP service=l2tp
/routing bfd configuration
add disabled=no interfaces=all min-rx=200ms min-tx=200ms multiplier=5
/routing rule
add action=lookup-only-in-table comment=Synology disabled=no src-address=
10.1.1.146/32 table=useWAN2
add action=lookup-only-in-table comment=3cx disabled=no src-address=
10.1.1.253/32 table=useWAN2
/system clock
set time-zone-name=Europe/Athens
/system identity
set name="MikroTik Router"
/tool romon
set enabled=yes
/tool sniffer
set filter-dst-port=imaps filter-src-ip-address=10.1.1.142/32

Hi there... some observations:

1. It would appear that your problem may stem from an improperly setup IP DHCP client. Do not use special tables in the IP DHCP Client setting. That use is for a manual route that will be used either for mangling rules, or routing rules to 'force' a user,or users, or subnet out a particular WAN.

SO this is the problem..........in bold.
ip dhcp-client
add default-route-tables=main interface="ether1 - Starlink" use-peer-dns=no
add default-route-distance=2 default-route-tables=useWAN2 interface=
"ether2 - LHG" use-peer-dns=no

Should be.... MAIN!!!

ip dhcp-client
add default-route-tables=main interface="ether1 - Starlink" use-peer-dns=no
add default-route-distance=2 default-route-tables=main interface=
"ether2 - LHG" use-peer-dns=no

Yes we will still need to create a manual route for the special table!

2. Modify routing rules to ensure any local traffic to/fro those local IPs is permitted before being forced out WAN2

add action=lookup-only-in-table min-prefix=0  table=main
add action=lookup-only-in-table comment=Synology disabled=no src-address=
10.1.1.146/32 table=useWAN2
add action=lookup-only-in-table comment=3cx disabled=no src-address=
10.1.1.253/32 table=useWAN2

Now order is imperative so the new rule has to be first. Since in routing rules you can only drag rules down, you will have to drag the other rules down past the new rule ( cannot drag the new rule up ).

3. Create the manual route

/ip route
add dst-address=0.0.0.0/0  comment= Dedicated WAN"gateway="ACTUAL GATEWAY IP of WAN2"  \
     routing-table=useWAN2

+++++++++++++++++++++++

If the ISP on WAN2 gives you a dynamic IP, then the gatewayIP may change. Not a problem if only the WANIP changes but often if the gateway IP changes, the router does not update the manually created route. Not a problem as we can deal with this in the IP DHCP client area and you can see I have added the comment to this route for a reason!!!

We use the following script ( this is copied direct from from the ip dhcp client script area found in advanced tab )

:if ($bound=1) do={
:local gw $"gateway-address"

/ip route set [ find comment="Dedicated WAN" gateway!=$gw ] gateway=$gw
/tool e-mail send to="your email address" subject=([/system identity
get name]) body=" This is your new gateway for ISP2 IP: $gw";
:local sub3 ([/system clock get time])
 
}

The tool email part is optional and without it looks like:
:if ($bound=1) do={
:local gw $"gateway-address"

/ip route set [ find comment="SecondaryDNS" gateway!=$gw ] gateway=$gw

}

Hope this helps!

after doing this all working except port forwarding i had on 10.1.1.146

Please explain in more detail.
You stated you wanted ALL TRAFFIC associated with 10.1.1.146 and 10.1.1.253 to go out WAN2 for internet access.

It would appear that your port forwarding is not in the proper format. Missing the relevant interface in this case ether2.
You need to state, either in-interface="ether2 - LHG" ............. for dynamic WANIPs, or dst-address=fixedpublic IP on each port forwarding rule.

In addition, users have to come in on WAN2, so they should not be using WAN1 to access the router for port forwarding.

yes i’ve changed the in-interface="ether2 - LHG" but still not working

Can you confirm external users are using a domain name pointing to WAN2, and do you also have internal users?

sorry that was the problem. i was pointing to the cloud dns and it was on WAN1 not WAN2